Security Bypass in IBM Tivoli Federated Identity Manager
CVE-2011-3138

Currently unrated

Key Information:

Vendor: IBM
Status: Tivoli Federated Identity Manager
Vendor: CVE Published:; 12 August 2011

Summary

The LTPA STS module in IBM Tivoli Federated Identity Manager versions prior to 6.2.0.9 contains a security flaw where reliance on a static Java Development Kit (JDK) class instance can lead to potential bypass of LTPA token signature verification. This vulnerability arises from inadequate thread safety, allowing malicious actors to exploit this weakness and circumvent security measures designed to protect user authentication, thereby compromising system integrity.

References

http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318

vendor-advisoryx_refsource_AIXAPAR

https://exchange.xforce.ibmcloud.com/vulnerabilities/69198

vdb-entryx_refsource_XF

http://www.ibm.com/support/docview.wss?uid=swg24029498

x_refsource_CONFIRM

Timeline

Vulnerability published
Aug 12, 2011
Vulnerability Reserved
Aug 12, 2011